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Abstract 

In this paper a secret sharing scheme based on the word prob- 
lem in groups is introduced. The security of the scheme and possible 
variations are discussed in section 2. The article concludes with the 
suggestion of two categories of platform groups for the implementation 
of the scheme. 



1 Introduction 

The problem of distributing a secret among a group of n persons in such 
a way that it can be reconstructed only if at least t of them combine their 
shares was solved independently by A. Shamir [5] and G. Blakley pQ in 
1979. During the recent years several cryptographic methods used group 
theoretic machinery (see e.g. [4]). In the present article, combining these 
two fields, we use group presentations and the word problem in groups in 
order to develop a new secret sharing scheme. It's main advantage to the 
schemes mentioned before is that it does not require the secret message to 
be determined before each individual person receives his share of the secret. 

In the section following the introduction the scheme is introduced. The 
article ends with a general discussion about the scheme and some suggestions 
concerning the platform groups which could be used for its implementation. 



2 The scheme 

Suppose that a binary sequence must be distributed among n persons in 
such a way that at least t of them must cooperate in order to obtain the 
whole sequence. The secret sharing scheme consists of the following steps: 



1 



Step 1 A group G with finite presentation G =< x±, X2, ■ ■ • , x&/ r±, . . . , r m > 
and soluble word problem is chosen. We require that m = 

Step 2 Let A\, . . . , A m be an enumeration of the subsets of {1, . . . , n} with 
t-1 elements. Define n subsets of {ri, . . . , r n }, R±, . . . , i? n with rj £ -R« 
if and only if i £ Aj, j = 1, . . . , m, z = 1, . . . , n. 

Then for every j = 1, . . . , m, rj is not contained in exactly t-1 of the 
subsets R\, . . . , R n . It follows that rj is contained in any union of t of 
them whereas if we take any t-1 of the R±, . . . , R n there exists a j such 
that Tj is not contained in their union. 

Step 3 Distribute to each of the n persons one of the sets R±, . . . , R n . The set 
{x±, . . . , Xk} is known to all of them. 

Step 4 If the binary sequence to be distributed is a± ■ ■ ■ a; construct and dis- 
tribute a sequence of elements w\,...,wi of G such that wi =g 1 if 
and only if = 1, i = 1, . . . , I. The word Wi must involve most of the 
relations ri, . . . ,r m if Wi = 1. Furthermore, all of the relations must 
be used at some point in the construction of some element. 

Any t of the n persons can obtain the sequence a\ ■ ■ ■ a; by taking the 
union of the subsets of the relations of G that they possess and thus obtaining 
the presentation G =< x±,X2, • • • , Xk/r±,r2, . . . ,r m > and solving the word 
problem Wi =q 1 in G for i = 1, . . . , I. 

A coalition of fewer than t persons cannot decode correctly the message 
since the union of fewer than t of the sets R\ , . . . , R n contains some but not 
all of the relations r±, . . . ,r m . Thus such a coalition could obtain a group 
presentation G' =< x\, . . . , Xk/ r[, . . . , r' p > with p < m and G ^ G', where 
Wi =g 1 is not equivalent to Wi =q> 1 in general. 

3 Remarks and implementation 

It should be pointed out that, contrary to other schemes (e.g. Shamir's, 
Blakley's scheme), the secret sequence to be shared is not needed until the 
final step. It is possible for someone to distribute the sets R±, . . . , R n and 
decide at a later time what the sequence would be. In that way the scheme 
can also be used so that t of the n persons can verify the authenticity of 
the message. In particular the binary sequence in step 4 could contain 
a predetermined subsequence (signature) along with the normal message. 
Then t persons may check whether this predetermined sequence is contained 
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in the encoded message thus validating it. One word of caution though, such 
a use might make possible for less than t persons (or even a third party) to 
discover all of the relations ri, . . . ,r m . This can be made more difficult by 
not specifying where exactly the signature should appear. 

One method of attack to this system is to search the pool of possible 
presentations of groups G =< x\, X2, ■ ■ ■ , Xk/ J"i, . . . , r m > that are used in 
the first step and try to decode the transmitted message wi,...W[. This 
task is easier if the attacker has some information concerning the encoded 
message (e.g. the attacker may knows that a certain block of the message 
contains a specific binary sequence/singature as discussed in the previous 
paragraph). Thus, this pool must contain a large number of groups. The 
reader may consult [H 6.1.5] for further discussion on the efficiency of this 
type of attack. 

The above line of attack is expedited if the attacker possesses some of the 
sets R\, . . . , R n (e.g. he might be one of the n persons sharing the secret). 
For this the reason we require in step 4 that a word w encoding 1 must involve 
most of the relations. Because if someone possesses the relations r[, . . . ,r' p 
and only them are involved in a word w =g 1 then he may decode correctly 
the word since w =q> 1 for the group G =< x\, . . . , x^j r[, . . . ,r' p >. 

One way of creating a word representing 1 is by the product 

l 

j 

where r'- is a relation, Wj a random element, I a (large) natural number 
and [a, b] = aba~ 1 b~ 1 is the commutator of a and b. This kind of encoding 
might, also, render useless some of the quotient attacks [U 6.1.6]. A larger 
set of relations in step 1 should make these attacks more difficult to use. 
One the other hand, the fact that by using only the relationships contained 
in Rj for a word w the person with this set can decode correctly the word, 
may be used to send messages to a specific person secretly from the rest of 
the group. 

Finally we propose some categories of group presentations which could 
be used in step 1: 

Polycyclic groups: polycyclic groups with presentation 

< x\, . . . , Xk/ x°j % = Wij, a* 1 = Vij, ap = u\ for 1 < i < j < k, I € / > 

where / C {1, . . . , k}, 77 € IN for all / € /, Wij,Vij,Uj are words in 
Oj+i, . . . , cifc and x y = y^xy. The interested reader may consult [3] 
for a discussion on the use of polycyclic groups. 



3 



Coxeter groups: Coxeter groups with presentation 

< xi, . . . ,x k j {siSj) mt: > =l,i,j = l,...,k> 

where G IN U {+00}, rriij ^ 0, ma = 1. There exists extensive 
bibliography on Coxeter groups. A place to start is [2]. In there there 
is reference on the word problem in Coxeter groups. 
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